The security manager is both a security specialist and a business manager, writes Alejandro Pulido, CPP, member of ASIS and an ISO 31000 Lead Risk Manager.
However until ten years ago or so, a prevalence was given only to his security skills and his work was limited to protecting the tangible assets of the company and / or facilities. This was due mostly to the fact that there were two major deficiencies within security departments. First, they focused solely on complying with the protocols and processes established for their operation but were unaware of the activities of other departments without having direct contact with them, as well as a very slight knowledge of the products and / or services offered. Second, the security manager did not have the communication skills or the knowledge of the business language necessary to establish direct and effective contact with the top management. As a result, the work of the security department was downgraded and assigned under the control of another division, but neither the department managers knew what the security manager was doing, nor he knew what the other departments and senior management were doing.
Fortunately, for our profession this keeps changing at high speed thanks to the preparation, effort and certification of competencies, as well as the increasing participation of the terrific and priceless Woman in Security, but we are still a long way from where we want to be. Although security managers at the operational, tactical and strategic levels of business management must be able to apply and promulgate within the organization the tools I humbly suggest below, it is the security managers at the strategic level whom I intend to motivate, country managers, region, Global Directors of security and / or CSOs since for these tools a top-down approach within the enterprise is easier and advisable which means security department is not solely focused on the company’s assets while management is solely focused on the company vision, mission and objectives,they are no longer siloed divisions, but interwoven and leaning on each other to ensure success.
The five tools I bring to mind, in a very slight way due to the article’s size, are intended to be only a guide since there is a vast literature on each one of them and once they are studied in-depth, and understood at all levels of the organization, they offer the security manager a whole and clear view of the business RISK, as well as a valuable opportunity to be appreciated as a business partner that is the true perception of the security role.
ESRM – Enterprise Security Risk Management
ESRM is a security program management process that links security activities with the vision, mission, objectives and goals of a company through risk management methods. ESRM is not convergence and it is used to effectively manage security risks proactively, at all levels of the business. ESRM continually assesses the full scope of security-related risks to an organization and its tangible, intangible, and mixed assets. The management process quantifies threats, identifies risk acceptance practices, and manages incidents involving the proper alignment of responsibilities, resources, risks, and mitigation efforts. Its practice allows relationships between the security function and those who manage the assets at risk, it applies to all aspects of security within the organization and allows analyzing risks in context in a qualitative and/or quantitative way, which enables the C-Suite to prioritize resources and risk mitigation efforts. The role of security managers in ESRM is to manage security vulnerabilities to company assets in a risk decision making partnership with top management in charge of those assets. ESRM deals with making aware top management on the realistic impacts of identified risks, presenting potential strategies to mitigate those impacts, and then enacting the option chosen by the organization in line with accepted levels of business risk appetite.
ORMS – Organizational Resilience Management System
ORMS applies in public, non-profit and private sector organizations. It is an integrated management system for planning actions and decisions necessary to anticipate, prevent if possible, and prepare for and respond to incidents. It improves an organization’s ability to manage and survive the adverse event, and take all necessary actions to help ensure business continuity. Regardless of the organization, top management have a duty to stakeholders to plan for their survival. ORMS provides generic auditable criteria, helps organizations prepare to deal with emergencies or irregular situations, encourages organizations to analyze stakeholder requirements, and define processes that contribute to success, provides the continuous improvement framework for increasing the likelihood of improving safety, preparedness, response and resilience. It provides confidence to the organization and its customers that the organization can provide a safe and secure environment that meets the requirements of the organization and its stakeholders. It integrates the analysis of risks and threats as the basis for the preparation of management plans. Its implementation allows the organization to identify risks and threats, and prepare for them, identify and manage threat mitigation policies, identify, analyze and manage business continuity alternatives, reduce costs due to loss of resources and/or operations shutdown.
Security awareness
Many organizations believe that security department is the only responsible for security. Security awareness requires that each in the organization be committed. Everyone should feel like a security person by understanding it is a way for employees to bring value to your organization. SA is a culture of security where everybody can improve the company by being aware and security-conscious, security belongs to everyone, from the CEO to the parking lot security guard. Everyone has a part of the security solution and the security culture of the company.
SA provides guidance to help establish, implement, and communicate a security awareness program. When security awareness and training mandates do not come from top management, there is very little room for change. Creating a culture of security awareness also requires a change in the way organizations deal with security. The goal of an SA program is to promote organizational and individual actions that can be taken to reduce risks and promote a culture of security. Security managers need to consider the following when trying to change employee behaviour:
What matters most is the leadership they exercise and how it reflects on their employees, SA provides general principles, guidance, and examples to help organizations create and maintaining an effective security awareness culture as part of an enterprise security risk management program applicable to organizations of all sizes and types, regardless of industry or public, private or not-for-profit sector.
ISO 31000
The ISO 31000 standard is a tool that establishes a series of principles for the implementation of a Risk Management System in companies. Like all ISO standards, this is voluntary, it is a non-certifiable standard, and companies that wish to reduce the obstacles that prevent the achievement of their objectives voluntarily adhere to their guidelines. It can be applied to any type of organization regardless of its size, target market, source of capital, commercial spectrum or financial funding without specifying any specific area or sector. ISO 31000 focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of the business.
The norm is based on the fact that all companies, to a greater or lesser extent, carry out risk management practices. The difference lies in the coordination and alignment of these practices. This is achieved through the integration of the Risk Management System to the strategy of each organization, as well as to its processes, policies and culture.
In fact, it is not a rule designed for specific circumstances, but rather seeks a continuous and permanent application over time. Thereby, it benefits the bulk of actions, decisions, operations, processes, functions, projects, services and assets in companies. ISO 31000 provides a structure or framework that enables the company to assess and manage risks. 31000 provides the business with steps to anticipate most issues and identify measures to mitigate their impact.
Its implementation helps an organization identify threats and opportunities, minimize losses, improve operational efficiency and effectiveness, encourage staff to identify and address risks, and improve risk management controls. In its latest version, the ISO 31000:2018 standard had changes, mainly based on Senior Management and leadership, risk management principles as a key element for success in the design, implementation, operation, maintenance and improvement of the management system, the integration of risks in the framework and the iterative nature of risk. The security manager should apply the standard in any activity, including decision-making at all levels and by using the principles, the framework and especially the process in security risks allows him to achieve his objectives, effectively allocate and use resources for risk treatment and that managing risk be efficient, effective and coherent.
Workplace violence
Workplace violence is any act or threat of physical violence, harassment, intimidation, or other threatening disruptive behaviour that occurs in the workplace. It ranges from verbal threats and abuse to physical assaults and even homicides. The active shooter event has sometimes been under-estimated in LATAM countries under the mistaken concept that it only happens in the USA, but reality is that it does happen daily under different names such as massacres, vendettas, hitmen and others and the worrying issue is that a serious survey in 2018 revealed that 49pc of the surveyed companies in the United States had neither effective communication plans nor response training, so that percentage may be even higher in Latin America.
The active shooter event is the most violent and tragic expression of workplace violence and that is why WVPI Workplace Violence Prevention and Intervention now includes guidance on prevention, intervention, and response to incidents involving an active assailant / active shooter. Security managers are the best source of practical experience on topics such as physical security on site, proper incident management techniques, including initial risk detection, background investigations and police intervention, and security personnel will be the first to be contacted about a violent incident or threat of violence.
WVPI provides an overview of the policies, processes and protocols that organizations can adopt to help identify and prevent threatening behaviour and violence that affect the workplace, as well as to better address and resolve threats and violence that have already occurred. The WVPI defines which staff within the organization are typically involved in prevention and intervention initiatives, outlines a proactive organizational approach to workplace violence, and proposes resources for the organization to better address behaviour that has raised concern. WVPI also describes the implementation of a workplace violence prevention and intervention program and protocols for managing and resolving incidents in a safe and effective manner. It is about the organization having the processes in place to manage that potential threat and try to mitigate any actual acts of violence from occurring.
A recurring word in all the above-mentioned tools is RISK, and is the reason the security manager position is evolving to risk manager where not only security risks but also safety or HSE risks are considered holistically, as well as a whole analysis of upstream and downstream risks for the supply chain. Finally strategic security managers must have two key distinctive skills: first to possess an effective leadership based in five pillars, that is to say: knowledge, experience, example, treat people well and a sense of corporate belonging; second, mastering the English language with proficiency to allow them to communicate effectively with the C-Suite globally and to serve as a bridge with the tactical and operational levels.
I conclude sharing this thought, the most valuable asset notwithstanding the type of organisation is people, and they are who make a company great, so security managers should use their communications skills as a supreme instrument to achieve the full commitment of all employees under their umbrella, and by doing so become key influencers for the rest of the human team, in pursuit of accomplishing shared goals and objectives.
